topic Re: How to pass multiple fields in Case or IF commands in Splunk Search

How to pass multiple fields in Case or IF commands

devsru — Thu, 05 Sep 2024 14:11:30 GMT

Hi Everyone,

I have some events with the field Private_MBytes and host = vmt/vmu/vmd/vmp

I want to create a case when host is either vmt/vmu/vmd and Private_MBytes > 20000 OR when host is vmp and Private_MBytes > 40000 then it should display the events with severity_id 4. Example

eval severity_id=if(Private_MBytes >= "20000" AND host IN [vmd*,vmt*,vmu*],4,2) eval severity_id=if(Private_MBytes >= "40000" AND host ==vmp*,4,2)

Note : if Private_MBytes > 40000, and then if there is any vmd/vmu/vmt it should display severity_id 4 only and for vmp also.

Re: How to pass multiple fields in Case or IF commands

yuanliu — Thu, 05 Sep 2024 03:38:03 GMT

If I must guess, the use of wildcard characters make your search not returning your desired results? (Syntax-wise, I am not sure if IN operator can use square brackets.) As you only illustrated two values, no need to use case.

| eval severity_id=if(Private_MBytes >= 20000 AND searchmatch("host IN (vmd*,vmt*,vmu*)") OR Private_MBytes >= 40000 AND host LIKE "vmp%", 4, 2)

Re: How to pass multiple fields in Case or IF commands

gcusello — Thu, 05 Sep 2024 06:43:58 GMT

Hi @devsru ,

you have to correlate your conditions using the boolean operators AND and OR and the parenthesys, aligned with the logic you need:

| eval severity_id=if((Private_MBytes>=20000 AND host IN ("vmd*","vmt*","vmu*")) OR (Private_MBytes>=40000 AND host="vmp*"), 4, 2)

Ciao.

Giuseppe

Re: How to pass multiple fields in Case or IF commands

gcusello — Tue, 24 Sep 2024 12:09:06 GMT

Hi @devsru ,

good for you, see next time!

Ciao and happy splunking

Giuseppe

P.S.: Karma Points are appreciated by all the contributors 😉